Notice that the XOR cipher resulted in bytes that are not printable (in yellow).

NULL-preserving XOR

NULL-preserving XOR works the same way XOR does except that bytes that are NULL (0x00) or corresponding to the XOR key (e.g. 0x3c) are not XOR'ed.

Brute Forcing

Single-byte XOR

You can use the following python script to generate all possible 1-byte encoded XOR strings based on the plain string "This program" and use Yara to detect the presence of XOR encrypted resources in malware.

NULL-preserving XOR

You can use the following python script to generate all possible 1-byte NULL-preserving XOR encrypted strings based on the plain string "This program" and use Yara to detect the presence of XOR encrypted resources in malware.

#!/usr/bin/env pythons="This program"forkoinrange(255):kh=hex(ko+1)h=[]# Test for each letter in the stringforbains:# Letter converted to hexbh=hex(ord(ba))# if hex-letter is NULL or the XOR key, it is left without modification# As there is no NULL byte in our string, we skip the testifbh==kh:h.append(format(ord(ba),'X').zfill(2))else:h.append(format(int(bh,16)^int(kh,16),'X').zfill(2))print"rule resource_NULL_preserving_XOR_%s"%khprint"{"print" meta:"print' description = "Resource NULL-Preserving XOR %s"'%khprint""print" strings:"print" $a = {%s}"%' '.join(h)print""print" condition:"print" any of them"print"}"

XOR in assembly code

Recognizing XOR

All instances of xor in the disassembled code do not identify XOR encryption.

Python script written by Didier Stevens to perform bitwise operations on files (like XOR, ROL/ROR, …). You specify the bitwise operation to perform as a Python expression, and pass it as a command-line argument.